There is such a thing as ‘too much of a good thing’ when it comes to the cloud
As organizations rushed to retool for remote work in 2020, obviously a greater emphasis was placed on the cloud. As a result, we’ve seen faster adoption of cloud security and cloud-delivered approaches, like SASE, with SD-WAN offered with cloud-delivered firewalls, secure internet gateways, etc.
However, throughout 2021, organizations will begin to feel some pain that they will come to realize is an over rotation to the cloud, assuming the cloud solves all business problems. And while it solves many, it is not a panacea. By assuming that the cloud solves everything, organizations have overlooked the endpoint—where certain controls and capabilities should be carried out—rather than in the cloud.
This year, we will see a recalibration, as IT, networking, and security teams will find more security value on the endpoint that they initially looked to the cloud for. For these teams to get what they had before with on-prem security controls monitoring people at the office, they will be forced to augment what they are doing on the endpoint.
For example, how can functionality like local network-level visibility, be delivered by the cloud for traffic on home networks? Cloud-delivered functionality from SASE can see inbound and outbound traffic from endpoints, but it is blind to local home network traffic moving between devices and hitting work laptops. This is where some threats lie, and the ability to address this is better served at the endpoint, with full endpoint context.
In sum, we’ll see a better balance between controls in the data center, cloud and endpoint in 2021.
Infrastructure as code will be the next, big culprit
Will infrastructure as code lead to the next headline-breaking breach?
The benefits of Infrastructure as Code (IaC) are huge and have accelerated the way we do business by increasing innovation through greater productivity. IaC is a technique that truly embodies the DevOps philosophy.
That said, to date, the security side of IaC has been lacking, if not entirely overlooked. We hear about “shifting security left” but realistically, a true DevSecOps model has not been prioritized, and while many embrace the strategy, many fewer really know how to make the organizational changes to fully realize it.
This can leave organizations pursuing IaC for innovation and productivity open to more cyber risk than they realize, and, in turn, that risk could lead to a large-scale attack. Let’s face it. Because IaC can have a huge impact, given the power of the automation behind it, bugs in code—and IaC configuration files in this case—happen, and can also have an outsized impact.
Those unidentified or subtle bugs often occur when things are assembled from multiple developers or operations teams. Your CI/CD pipeline constructing the pieces of that puzzle can create infrastructure containing potentially exploitable misconfigurations or vulnerabilities. These issues will manifest in the gaps where nobody is looking, in the one piece that is missing, or in the one piece that doesn’t fit well with the others. Individual pieces of IaC may pass security tests, but the assembly of all those pieces may not. Naturally, the repercussions are vast.
In 2021, we will see problems in IaC exploited in security incidents, so the security industry will be left with no choice but to take a hard look at better protective practices for IaC. This will mean a true shift left: both demanding more of a CI/CD focus from security teams and insistence that security considerations become a real part of the CI/CD pipeline. We’ll also see a greater focus on tools that let developers see and fix configuration issues directly in code.
The security industry is behind. Because you can now develop infrastructure in minutes, there is often no time to find vulnerabilities, or prevent misconfigurations from being deployed. With attackers always waiting in the wings, organizations must better keep up with IaC security in 2021 and write more secure configurations to avoid problems.